Rick Moen <rick@linuxmafia.com> writes:
> My perspective is influenced by the fact that all attempts to help debug
> Linux networking failures have to start with "What does /sbin/iptables
> L, run as root, say?" and "What's in /etc/hosts.allow and
> /etc/hosts.deny?" -- because people shooting at their pedal extremities
> with those, without any idea what they're doing, is a leading cause of
> networking problems.
Yes, exactly.
All computer security is a tradeoff between security and usability.
There's no way around that except in rare win-win situations. If you add
more security, you reduce usability. If you reduce usability too far,
people will make stupid security decisions out of frustration and you can
easily end up in a worse situation than if you hadn't tried to add
security in the first place. (You get users trained to press Okay on
every security-related dialog box, for example.)
I think the average end user expects that, after they have installed a
package, that package will work as advertised. If the act of installing
the package is dangerous, I think that's something that ideally should be
dealt with at the time of the installation decision, while the user is
thinking about it. A debconf question asking the user if they really want
to listen to Avahi events on the local network, for example. Letting the
package install but then rendering it partly non-functional with a
firewall that has to be changed somewhere else or that will pop up the
first time the user tries to use some bit of functionality (possibly weeks
later) strikes me as bad user interaction design.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>